tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yann GUEVEL" <yanng...@hotmail.com>
Subject JAASCallbackHandler clear password in the log file
Date Mon, 24 Nov 2003 13:07:15 GMT
Hi,

if the debug level is > 3,  the 
org.apache.catalina.realm.JAASCallbackHandler.handle method writes in the 
log file the login and password it received (tomcat 4.1.29 
JAASCallbackHandler.java, line 155). So any people who can access the 
machine on which Tomcat is running can see all the login and passwords used. 
Isn't this unsafe ? Should'nt this log be removed ?

Thank for your answers.

Yann

_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE* 
http://join.msn.com/?page=features/virus


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message